2.2.2.5 NEGOTIATE

2/14/2019

6 minutes to read

In this article

During NTLM authentication, each of the following flags is a
possible value of the NegotiateFlags field of the NEGOTIATE_MESSAGE,
CHALLENGE_MESSAGE,
and AUTHENTICATE_MESSAGE,
unless otherwise noted. These flags define client or server NTLM capabilities
supported by the sender.

0

1

2

3

4

5

6

7

8

9

10

1

2

3

4

5

6

7

8

9

20

1

2

3

4

5

6

7

8

9

30

1

W

V

U

r
1

r
2

r
3

T

r
4

S

R

r
5

Q

P

r
6

O

N

M

r
7

L

K

J

r
8

H

r
9

G

F

E

D

r
1 0

C

B

A

W (1 bit): If set, requests 56-bit encryption.
If the client sends NTLMSSP_NEGOTIATE_SEAL or NTLMSSP_NEGOTIATE_SIGN with
NTLMSSP_NEGOTIATE_56 to the server in the NEGOTIATE_MESSAGE, the server MUST
return NTLMSSP_NEGOTIATE_56 to the client in the CHALLENGE_MESSAGE. Otherwise
it is ignored. If both NTLMSSP_NEGOTIATE_56 and NTLMSSP_NEGOTIATE_128 are
requested and supported by the client and server, NTLMSSP_NEGOTIATE_56 and
NTLMSSP_NEGOTIATE_128 will both be returned to the client. Clients and servers
that set NTLMSSP_NEGOTIATE_SEAL SHOULD set NTLMSSP_NEGOTIATE_56 if it is
supported. An alternate name for this field is NTLMSSP_NEGOTIATE_56.

V (1 bit): If set, requests an explicit key
exchange. This capability SHOULD be used because it improves security for
message integrity or confidentiality. See sections 3.2.5.1.2, 3.2.5.2.1,
and 3.2.5.2.2
for details. An alternate name for this field is NTLMSSP_NEGOTIATE_KEY_EXCH.

U (1 bit): If set, requests 128-bit session
key negotiation. An alternate name for this field is
NTLMSSP_NEGOTIATE_128. If the client sends NTLMSSP_NEGOTIATE_128 to the server
in the NEGOTIATE_MESSAGE, the server MUST return NTLMSSP_NEGOTIATE_128 to the
client in the CHALLENGE_MESSAGE only if the client sets NTLMSSP_NEGOTIATE_SEAL
or NTLMSSP_NEGOTIATE_SIGN. Otherwise it is ignored. If both
NTLMSSP_NEGOTIATE_56 and NTLMSSP_NEGOTIATE_128 are requested and supported by
the client and server, NTLMSSP_NEGOTIATE_56 and NTLMSSP_NEGOTIATE_128 will both
be returned to the client. Clients and servers that set NTLMSSP_NEGOTIATE_SEAL
SHOULD set NTLMSSP_NEGOTIATE_128 if it is supported. An alternate name for this
field is NTLMSSP_NEGOTIATE_128.<23>

r1 (1 bit): This bit is unused and MUST be
zero.

r2 (1 bit): This bit is unused and MUST be
zero.

r3 (1 bit): This bit is unused and MUST be
zero.

T (1 bit): If set, requests the protocol
version number. The data corresponding to this flag is provided in the Version
field of the NEGOTIATE_MESSAGE, the CHALLENGE_MESSAGE, and the
AUTHENTICATE_MESSAGE.<24> An alternate name for this
field is NTLMSSP_NEGOTIATE_VERSION.

r4 (1 bit): This bit is unused and MUST be
zero.

S (1 bit): If set, indicates that the TargetInfo
fields in the CHALLENGE_MESSAGE (section 2.2.1.2) are populated. An alternate
name for this field is NTLMSSP_NEGOTIATE_TARGET_INFO.

R (1 bit): If set, requests the usage of the LMOWF.
An alternate name for this field is NTLMSSP_REQUEST_NON_NT_SESSION_KEY.

r5 (1 bit): This bit is unused and MUST be
zero.

Q (1 bit): If set, requests an identify
level token. An alternate name for this field is NTLMSSP_NEGOTIATE_IDENTIFY.

P (1 bit): If set, requests usage of the NTLM
v2 session
security. NTLM v2 session security is a misnomer because it is not
NTLM v2. It is NTLM v1 using the extended session security that is also in NTLM
v2. NTLMSSP_NEGOTIATE_LM_KEY and NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY are
mutually exclusive. If both NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY and
NTLMSSP_NEGOTIATE_LM_KEY are requested,
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY alone MUST be returned to the
client. NTLM v2 authentication session key generation MUST be supported by both
the client and the DC in order to be
used, and extended session security signing and sealing requires support from
the client and the server in order to be used.<25> An
alternate name for this field is NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY.

r6 (1 bit): This bit is unused and MUST be
zero.

O (1 bit): If set, TargetName MUST be a
server name. The data corresponding to this flag is provided by the server in
the TargetName field of the CHALLENGE_MESSAGE. If this bit is set, then
NTLMSSP_TARGET_TYPE_DOMAIN MUST NOT be set. This flag MUST be ignored in the
NEGOTIATE_MESSAGE and the AUTHENTICATE_MESSAGE. An alternate name for this
field is NTLMSSP_TARGET_TYPE_SERVER.

N (1 bit): If set, TargetName MUST be a
domain
name. The data corresponding to this flag is provided by the server
in the TargetName field of the CHALLENGE_MESSAGE. If set, then
NTLMSSP_TARGET_TYPE_SERVER MUST NOT be set. This flag MUST be ignored in the
NEGOTIATE_MESSAGE and the AUTHENTICATE_MESSAGE. An alternate name for this
field is NTLMSSP_TARGET_TYPE_DOMAIN.

M (1 bit): If set, requests the presence of a
signature block on all messages. NTLMSSP_NEGOTIATE_ALWAYS_SIGN MUST be set in
the NEGOTIATE_MESSAGE to the server and the CHALLENGE_MESSAGE to the client.
NTLMSSP_NEGOTIATE_ALWAYS_SIGN is overridden by NTLMSSP_NEGOTIATE_SIGN and
NTLMSSP_NEGOTIATE_SEAL, if they are supported. An alternate name for this field
is NTLMSSP_NEGOTIATE_ALWAYS_SIGN.

r7 (1 bit): This bit is unused and MUST be
zero.

L (1 bit): This flag indicates whether the Workstation
field is present. If this flag is not set, the Workstation field MUST be
ignored. If this flag is set, the length of the Workstation field
specifies whether the workstation name is nonempty or not.<26> An alternate name for this
field is NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED.

K (1 bit): If set, the domain name is provided
(section 2.2.1.1).<27> An alternate name for this
field is NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED.

H (1 bit): If set, requests usage of the NTLM
v1 session security protocol. NTLMSSP_NEGOTIATE_NTLM MUST be set in the
NEGOTIATE_MESSAGE to the server and the CHALLENGE_MESSAGE to the client. An
alternate name for this field is NTLMSSP_NEGOTIATE_NTLM.

r9 (1 bit): This bit is unused and MUST be
zero.

G (1 bit): If set, requests LAN Manager (LM)
session key computation. NTLMSSP_NEGOTIATE_LM_KEY and
NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY are mutually exclusive. If both
NTLMSSP_NEGOTIATE_LM_KEY and NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY are
requested, NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY alone MUST be returned to
the client. NTLM v2 authentication session key generation MUST be supported by
both the client and the DC in order to be used, and extended session security
signing and sealing requires support from the client and the server to be used.
An alternate name for this field is NTLMSSP_NEGOTIATE_LM_KEY.

F (1 bit): If set, requests connectionless
authentication. If NTLMSSP_NEGOTIATE_DATAGRAM is set, then
NTLMSSP_NEGOTIATE_KEY_EXCH MUST always be set in the AUTHENTICATE_MESSAGE to
the server and the CHALLENGE_MESSAGE to the client. An alternate name for this
field is NTLMSSP_NEGOTIATE_DATAGRAM.

E (1 bit): If set, requests session key
negotiation for message confidentiality. If the client sends
NTLMSSP_NEGOTIATE_SEAL to the server in the NEGOTIATE_MESSAGE, the server MUST
return NTLMSSP_NEGOTIATE_SEAL to the client in the CHALLENGE_MESSAGE. Clients
and servers that set NTLMSSP_NEGOTIATE_SEAL SHOULD always set
NTLMSSP_NEGOTIATE_56 and NTLMSSP_NEGOTIATE_128, if they are supported. An
alternate name for this field is NTLMSSP_NEGOTIATE_SEAL.

D (1 bit): If set, requests session key
negotiation for message signatures. If the client sends NTLMSSP_NEGOTIATE_SIGN
to the server in the NEGOTIATE_MESSAGE, the server MUST return
NTLMSSP_NEGOTIATE_SIGN to the client in the CHALLENGE_MESSAGE. An alternate
name for this field is NTLMSSP_NEGOTIATE_SIGN.

r10 (1 bit): This bit is unused and MUST be
zero.

C (1 bit): If set, a TargetName field
of the CHALLENGE_MESSAGE (section 2.2.1.2) MUST be supplied. An
alternate name for this field is NTLMSSP_REQUEST_TARGET.

B (1 bit): If set, requests OEM character set
encoding. An alternate name for this field is NTLM_NEGOTIATE_OEM. See
bit A for details.

A (1 bit): If set, requests Unicode
character set encoding. An alternate name for this field is NTLMSSP_NEGOTIATE_UNICODE.